12

I have an C#, .Net 4.6.1 Windows Forms Application running on Windows Server Platforms (2008 or higher) which requires to be "Run as Administrator". Elevated privileges are required because the application changes User Access Rights on various folders (underneath the IIS Default Web Site Root if that matters).

I have no luck in detecting if the application has been "Run as Administrator". If I start the application normally (that is not as Administrator) the following code

var isAdmin = WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid);

returns true but the code which changes some User Access Rights on a Directory fails with a Insufficient Privileges Error.

If I run the application as administrator the above check also returns true, but the changing of User Access rights works just fine.

Other attempts I have made without success:

  • Using the GetTokenInformation method inside the advapi32.dll as suggested here
  • Adding a manifest file to the application where I set the requestedExecutionLevel to requireAdministrator

Thanks in advance for any help.

Mats
  • 13,840
  • 29
  • 73
  • 106
  • As a workaround you could just initially check, can you change access rights on specific folder and if not, notify the user about insufficient rights. Unfortunately I have no direct experience with this kind of code and cannot give helpful answer :( – Arvo Jan 29 '16 at 09:39
  • Thank you @Arvo. I implemented a similar workaround for now. Still would like to find an answer. – Mats Feb 04 '16 at 09:02
  • So what actually happened when you used the manifest? – Damien_The_Unbeliever Feb 04 '16 at 09:08
  • Do you want to know if the current user who is running the programm is an administrator or if the application got started with administrator privileges -> "Run as Administrator". [Because currently you checking if the user is admin.](http://stackoverflow.com/questions/3600322/check-if-the-current-user-is-administrator) – C0d1ngJammer Feb 04 '16 at 09:11
  • @Damien_The_Unbeliever, nothing. I expexted a prompt when the application is launched but nothing happens. – Mats Feb 04 '16 at 09:20
  • @C0dingJammer, I need to know whether the App has been started as an Administrator. In the OP I mentioned that the current user being an Admin (or the in Admins group) does not necessarily mean he can perform the change of access-rights as required. But when the App is started 'as an Administrator' everything seems to work fine. – Mats Feb 04 '16 at 09:23
  • 1
    Duplicate? See [this](http://stackoverflow.com/questions/1220213/detect-if-running-as-administrator-with-or-without-elevated-privileges), eg – sq33G Feb 04 '16 at 13:32

2 Answers2

2

Try to change the permissions of a known folder and if there is an exception then you know the program has not been run as administrator.

Dave3of5
  • 590
  • 3
  • 18
  • I think the OP is looking for a more elegant solution, as he is already getting an insufficient privilege error as per his question. – Lemonseed Feb 08 '16 at 08:13
  • 1
    I second what @Dave mentioned above. I've already implemented a work-around like this. But that doesn't answer my question. – Mats Feb 09 '16 at 12:29
  • @Matthias As far as I can see it's tricky to determine if the program is being run as administrator. Not sure I could really help you out more. In terms of a more elegant solution I'm not sure there is anything. I'm curious as to why the manifest change didn't work for you ? – Dave3of5 Feb 10 '16 at 11:58
2

The following must work (I hope so; I have a Windows client and it's working with me).

var Identity = WindowsIdentity.GetCurrent();
var Principal = new WindowsPrincipal(Identity);
bool IsAdmin = Principal.IsInRole(WindowsBuiltInRole.Administrator);
Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
Ahmad Alloush
  • 131
  • 1
  • 5
  • If you add `|| Principal.IsInRole(0x200)` to the IsAdmin bool it should also detect Domain Admins, same counts `0x220` for local group Administrators. [MSDN](https://msdn.microsoft.com/en-us/library/86wd8zba%28v=vs.110%29.aspx) – Arena Feb 07 '16 at 20:14
  • I stated in my OP that I used code like this without success. – Mats Feb 09 '16 at 12:28
  • You stated that `.Owner.IsWellKnown...` was used without success, the code above has not been stated, have you tried this specific code? It might be that you're looking only for the '0x200' flag as local administrators might not be able to change UAC Rights. – Arena Feb 09 '16 at 16:33
  • @Arena I tried your code but it yields identical results when beeing executed normally and "Run as Administrator"). – Mats Feb 10 '16 at 12:27
  • @Matthias Are you sure the folder isn't a [symbolic link](https://msdn.microsoft.com/en-us/library/windows/desktop/aa365680%28v=vs.85%29.aspx) as described in [this issue](http://www.techsupportforum.com/forums/f128/solved-c-net-insufficient-privileges-584413.html)? – Arena Feb 10 '16 at 12:52
  • @Arena 100% positive. It's not a symlink. It's a folder ;) – Mats Feb 10 '16 at 13:02
  • I would like to thank Arena for his contribute and I am sorry to hear that, the problem that I don't have any windows server version to test my code on,I have tried this on windows 7 and it worked perfectly, and it's really weird that this code is working on client version and not working with the server one...any way when I find something new about the server version I will update the post, good luck – Ahmad Alloush Feb 11 '16 at 12:14